Healthcare White Paper The Heart of Healthcare Data SecurityDe-Riskig Test ad Productio Eviromets
About the Authors Viswaatha Gaapathy Solutios Director, Healthcare Techology Excellece Viswaatha Gaapathy is part of the Techology Excellece Group (TEG) i the Healthcare Idustry Solutios Uit at Tata Cosultacy Services (TCS). He coceptualizes ew strategic solutios ad platforms for healthcare cliets icludig payers, itegrated payer-providers, specialty providers, ad pharmacy beefit maagemet compaies. Gaapathy has 25 years of idustry experiece i techology, solutios, ad cosultig with a special focus o data security. He has a MBA with a specializatio i Healthcare from the Yale School of Maagemet, Yale Uiversity, New Have. Daiel Loga Eterprise Solutios Architecture Director, Healthcare Techology Excellece Daiel Loga works with the TEG of the Healthcare Idustry Solutios Uit at TCS. He works with customers across the globe i coceptualizig ad desigig strategic solutios for digital trasformatio, data aalytics, ad security to meet the eeds of the rapidly chagig healthcare ladscape. Loga has 25 years of experiece i iformatio techology withi the isurace ad healthcare idustries. His areas of expertise iclude eterprise architecture ad plaig as well as solutios, iformatio, security, ad applicatio architecture. He is a Certified Iformatio Systems Security Professioal (CISSP) ad was oe of the leadig cotributors to the Cloud Security Alliace Eterprise Architecture referece model.
Abstract The itercoected, itegrated, ad iterdepedet healthcare ecosystem geerates several quitillio terabytes of data every day. The growig maturity of Electroic Health Record (EHR) systems ad healthcare iformatio exchages (HIE) ad the digitizatio of healthcare is drivig dow costs ad improvig the quality of care. However, the icreasig iteroperability ad access to Protected Health Iformatio (PHI) ad Persoally Idetifiable Iformatio (PII) is acceleratig the risk of data breaches. Goig by the umber ad magitude of high profile security breaches that have made headlies recetly, it is clear that the task of securig PHI is challegig eve for the bestprepared orgaizatios. Healthcare security ad privacy laws such as the HITECH Act ad HIPAA have icreased the urgecy of addressig potetial security risks. Not doig so could mea hefty fiacial pealties, icreased cost of doig busiess, ad loss of patiet trust. While compaies are ivestig i eterprise security tools to protect the productio etwork ad ifrastructure, they cotiue to struggle with securig the data i their applicatios, ad applicatio databases ad iterfaces. The practice of usig productio data i test eviromets, while eablig the developmet of ext geeratio healthcare applicatios, also icreases vulerability to security breaches. This paper outlies a uique persoa based approach that leverages a secure repository to effectively assess, remediate, ad moitor data risks i the test eviromet. Assessig ad uderstadig vulerabilities i the test eviromet ca, i tur, help healthcare compaies secure the productio eviromet ad lay the foudatio for eterprise-wide data security.
Cotets The data-breach epidemic: Key busiess implicatios 5 Defiig the care pla to avoid security risks 6 Improvig Coverage: Prevetig data breaches i the test eviromet 6 Fortifyig data: The ARM framework to ehacig data security 7 Assess the risk - Idetify vulerable assets ad prioritize key areas of focus 8 Remediate the risk De-idetify sesitive data i test eviromets 8 Moitor the risk Keep sesitive data out of test eviromets 9 Prevetive care - Protectig high-value targets i productio 10 Log Term Care Beefits of a persoa based approach 11 It Pays to Care Securig the Future 11
The data-breach epidemic: Key busiess implicatios Stole healthcare credetials sell for 10 to 20 times more tha stole credit cards o the black market¹. Not surprisigly, lucrative patiet iformatio residig withi poorly protected applicatios, databases or etworks, make healthcare orgaizatios atural targets for security attacks. Usig sophisticated techiques, cybercrimials are able to work aroud traditioal security measures such as firewalls, ativirus, ad itrusio detectio ad prevetio systems. Theft or loss of laptops, computers, hard drives, PDAs, ad other portable devices cotaiig uecrypted persoal iformatio are also a major source of data security breaches. I additio, the iability to cetrally maage disparate hospital systems ca lead to isolated IT assets, makig them vulerable to security risks. Security threats may also origiate withi the orgaizatio i the form of disgrutled or termiated employees who abuse their admiistrative privileges. Cloud computig ad the possibility of 'shadow IT' also icrease security ad privacy risks related to the maiteace of data o shared computig platforms. Igorig these lurkig security risks ca lead to sigificat fiacial, legal ad reputatioal losses. Accordig to a study by Poemo Istitute, the cost of a data breach to healthcare orgaizatios was USD 363 per capita i 2015, which is far higher tha i ay other sector. Some of the high profile security breaches are servig as a wake-up call for the healthcare idustry to improve security measures: I a cyberattack o Athem Ic., the largest healthcare security breach till date, the PII of early 80 millio employees ad customers was stole. 57 uecrypted computer hard drives were stole from a leased facility belogig to Blue Cross Blue Shield of Teessee. The healthcare isurer agreed for a settlemet i the wake of the breach that affected more tha oe millio erollees. Cybercrimials attacked Commuity Health Systems ad stole the persoal iformatio of early 4.5 millio patiets. The compay ow faces a data breach class actio lawsuit for failure to implemet ad follow basic security procedures. 91% of healthcare compaies reported at least oe icidet i the past two years $6 BN spet by the healthcare idustry due to data breaches $2.1 MN spet by the idustry o a average icidet The aftermath of a security breach: Costly cosequeces Wastage of time ad resources i maagig, aalyzig, ad documetig the data breach Cost of reportig the icidet to federal ad state authorities Regulatory fies, class-actio lawsuits i the case of larger breaches, ad high costs of fixig IT systems damaged by the breach Disruptios to day-to-day operatios that may hider the delivery of critical admiistrative or cliical services Log term damage to reputatio 1] Network World, Athem hack: Persoal data stole sells for 10X price of stole credit card umbers, February 2015, Accessed July 2015, http://www.etworkworld.com/article/2880366/security0/athem-hack-persoal-data-stole-sells-for-10x-price-of-stole-credit-card-umbers.html 5
Defiig the care pla to avoid security risks As the healthcare idustry plays catch up i the digital trasformatio race, orgaizatios are collectig, maagig, aalyzig, ad sharig a icreasig amout of electroic data. Much of this icludes PHI ad PII from various sources icludig trasactioal systems such as erollmets, claims, billig ad patiet portals, as well as itegrated services such as medicatio adherece ad pricig. The widespread distributio ad access to PHI through a growig array of iteret-coected devices, tools, ad sites makes it eve more challegig to secure data. A large healthcare payer orgaizatio typically has 2500 to 4000 applicatios ad several membership ad claim egies. I additio, a growig umber of exteral services make the data ad applicatio ladscape more complicated ad vulerable As custodias of large amouts of PHI ad PII, healthcare orgaizatios must comply with regulatios such as the Health Isurace Portability ad Accoutability Act (HIPAA) ad Health Iformatio Techology for Ecoomic ad Cliical Health (HITECH) Act. The HIPAA protects the privacy of idividually idetifiable health iformatio ad sets atioal stadards for the security of electroic protected health iformatio. It also madates otificatio followig a breach of protected health iformatio. The HITECH Act expads o HIPAA's security ad privacy requiremets. It icreases fies ad eforcemet, expads applicability, ad brigs i ew breach otificatio rules. To stay compliat, healthcare orgaizatios must cotiually moitor their physical, admiistrative, ad techical security policies to safeguard sesitive patiet iformatio. However, there is oe area that is ofte overlooked the widespread use of sesitive patiet data i healthcare applicatio developmet. This practice exposes orgaizatios to the risk of o-compliace ad ca lead to the mismaagemet of PHI ad PII. I the followig sectio, we take a look at why securig the data i the test eviromet is importat. Improvig Coverage: Prevetig data breaches i the test eviromet Compliace regulatios ad security best practices require orgaizatios to ivetory ad classify their iformatio assets. However, fast paced developmet cycles push rapid techological iovatio through the IT departmets of healthcare compaies, puttig sesitive data at the risk of beig overlooked or mismaaged. This problem is ot limited to just the productio eviromet. It exteds to the testig eviromet as well. Testig forms a itegral part of a successful ew system roll out ad testig systems have grow i complexity to address all fuctioal groups ad potetial productio scearios. Ofte, copies of productio or actual patiet data are used to populate the test eviromet, creatig security loopholes ad makig these the perfect target for outside ad isider threats. Give the ramificatios of a security breach, orgaizatios eed to start takig the threat to the test eviromet seriously. Typically, productio data is modified to make it safe for use i o-productio eviromets i compliace with regulatory requiremets. However, orgaizatios face challeges i de-idetifyig data 6
cosistetly across systems i itegrated testig eviromets. Ofte, the o-stadard techiques do ot meet HIPAA stadards. I additio, they drive up the costs for testig, developmet, ad audits ad reduce the effectiveess of test data maagemet. Security breaches are ot limited to the productio eviromet. To meet the timeto-market pressures, productio data is used for applicatio, itegratio, ad performace testig. I such a sceario, lack of adequate access cotrols ad data usage by a wider audiece iflates the risk of data breaches i the test eviromet. Securig healthcare data is o differet from safeguardig private assets. It requires idetifyig ad mappig the orgaizatio's PHI footprit i both productio ad test eviromets, ad uderstadig how the data ca be compromised. Oce sesitive iformatio has bee idetified, it should be masked with the help of a foolproof data deidetificatio techique. I the followig sectio, we look at a three-step framework for de-riskig the test ad productio eviromet to reduce the probability of data breaches. Fortifyig data: The ARM framework to ehacig data security Adoptig security best practices ad a comprehesive approach to protectig PHI ad PII i test ad productio eviromets is imperative to tacklig the data security issue effectively. I our opiio, the Assess, Remediate, ad Moitor (ARM) framework show i figure 1 is a highly effective tool to prioritize, safeguard, ad moitor vulerable data ad applicatios. ARM is a uique persoa based approach to documetig the PHI footprit, remediatig the test eviromet ad securig live data. Uderstadig the PHI footprit of the test eviromet allows orgaizatios to acquire kowledge that ca help protect their productio eviromet as well. A robust goverace mechaism ca the eable cotiuous moitorig of critical data elemets spread across the eterprise. Assess Remediate Assess live data exposure i test eviromets Take applicatio ivetory ad priortize vulerable assets Evaluate data volume ad risk dimesios Idetify ad documet PHI ad PII footprit Assess exisitig test data maagemet policies ad procedures Moitor ad Gover Purge, de-idetify, or remove sestive data from test eviromets Secure the persoa through MDM Coduct cotiuous live audits Ecrypt data i productio eviromets Lik data goverace processes with SDLC Esure cotiuous risk reductio Automate MDM to detect sesitive data i oproductio eviromets Use ladig zoes before movig exteral data to the test eviromet Secure repository to track, audit ad secure data Figure 1: The ARM Framework for Securig the Test Eviromet 7
Assess the risk - Idetify vulerable assets ad prioritize key areas of focus Capturig the PHI footprit is a importat first step i the process of protectig the test eviromet agaist data breaches. With resources beig limited, it is importat to prioritize applicatios based o the databases that cotai the most sesitive data. Orgaizatios ca the capture this iformatio ad store it i a secure repository. This ca be doe by followig two simple steps: What's uique about the ARM framework? Persoa based approach to deidetificatio that secures the etire persoa ad ot just idividual pieces of PHI such as the Social Security umber or date of birth. Ability to create a secure repository to track, audit ad secure PHI ad PII o a ogoig basis. Two-proged approach to elimiatig sesitive data from the o-productio eviromets ad focusig data security implemetatios o high value targets i the productio eviromet. Takig a data ivetory This ivolves idetifyig the developmet, test, itegratio, ad performace test applicatio eviromets, ad the databases used i those eviromets. As a ext step, orgaizatios must idetify the exact tables ad fields that store the sesitive data, as well as the methods used to exchage data with other applicatios. Evaluatig the risk Assessig the volume of sesitive data as part of the risk assessmet process is importat because the cost of a healthcare data breach is directly related to the umber of records lost. For example, i the U.S., ay data breach that impacts more tha 500 records must be reported to the Uited States Departmet of Health ad Huma Services Office of Civil Rights. May Europea coutries have similar requiremets. Assessig the dowstream depedecies of data is also critical sice the risk of breach icreases each time productio data is copied. This risk is especially prevalet i itegrated testig eviromets where it is commo to ru system-to-system itegrated batch cycles. At the same time, orgaizatios must assess the exteral data spread due to the eormity of data services, exteral iterfaces, ad tradig parters. Fially, aalyzig the effectiveess of curret test data maagemet practices will help idetify gaps i the techiques used to geerate test data or de-idetify productio data. Remediate the risk De-idetify sesitive data i test eviromets Oce the vulerable assets have bee idetified, the ext step is to proactively reduce the risk of data breaches. While data maskig is widely used to de-idetify productio data, the techiques are ofte icosistet, leadig to security gaps or iefficiet testig. Data maskig should alter PHI ad PII while retaiig the origial format ad properties, without impactig the applicatio fuctioality ad itegrity. This ca be doe i the followig ways: De-idetifyig persoas through a MDM approach Data de-idetificatio is the process of removig, maskig, or alterig PHI such as ame, date of birth, social security umber, medical ID umber, ad so o. Usig a persoa based Master Data Maagemet (MDM) approach ca improve the effectiveess of the data de-idetificatio process. It helps secure the PHI footprit of a perso across applicatios istead of merely securig idividual pieces of sesitive data. 8
This approach is particularly useful whe multiple lies of busiesses (medical, detal, behavioral health) have separate systems for trackig their memberships. Usually, a master patiet idex is maitaied by examiig records i multiple systems ad comparig differet combiatios of fields (ame ad date of birth, social security umber ad ame, ame ad address, ad others) across systems. A persoa based approach simplifies ad reduces effort by reducig the umber of data pieces that eed to be compared ad secured. Moreover, it miimizes the chaces of security breaches, sice it becomes difficult to obtai other pieces of persoal iformatio oce the persoa has bee secured. Removig sesitive data from the o-productio eviromet Productio data i o-productio eviromets must be either removed or de-idetified usig the MDM approach described above. By leveragig a commo data maskig or data purgig tool ad stadardized algorithms, orgaizatios ca mask or alter sesitive data across databases. This process is relatively straight forward with respect to stadaloe databases used for developmet or system testig. However, it gets complicated i itegrated testig eviromets where data must be shared across multiple systems. I additio, the records for a perso are expected to match across systems. I such a sceario, it is recommeded that a chage widow approach be used, where testig is halted for a give amout of time ad all data is purged or masked i a way that provides cosistecy across the eviromets. The MDM approach ca the be used to esure cosistetly masked data across systems. Orgaizatios ca also leverage the secure repository to remediate risks i the test eviromet ad ecrypt data i the productio eviromet. Moitor the risk Keep sesitive data out of test eviromets Securig the test ad productio eviromet is just the start. With cyberattacks becomig icreasigly sophisticated, orgaizatios must take steps to moitor risks through cotiuous live data audits ad robust goverace mechaisms supported by a secure repository. The followig approaches help healthcare orgaizatios proactively keep sesitive data out of o-productio eviromets: Leveragig ladig zoes while movig data ito testig eviromets Durig the risk assessmet ad ivetory phase discussed earlier, a orgaizatio would have idetified exteral ad iteral data etry poits for testig eviromets. Typical etry poits for a healthcare orgaizatio iclude data feeds from busiess associates, EDI gateways for claims, ad itegratio with exteral erollmet processes such as health care isurace exchages. I most cases, there will be o-productio eviromet versios of these etry poits utilized durig the developmet ad testig processes. It is beeficial to isolate these eviromets from direct iteractio with the etry poits by placig exteral system data i a stagig area or ladig zoe. Each applicatio ca the automatically sca ad move the data from the ladig zoe ito the test eviromet. It ca either reject the dataset if it is foud to cotai productio data or alterately, ru the dataset through the stadard deidetificatio tool. 9
Usig a automated MDM approach to moitor risks Assessig o-productio eviromets for productio data must be doe periodically to esure better results. This starts with buildig a ivetory of all applicatios, eviromets, databases, ad sesitive data fields. Data goverace processes liked to the Software Developmet Life Cycle (SDLC) help maitai the ivetory ad keep it up to date. Automatig the MDM approach to detect sesitive data i o-productio eviromets also helps support regular checks. I case of issues with the data de-idetificatio process, data privacy officers ca use iformatio gathered through automated checks to follow up with applicatio teams ad data owers. Prevetive care Protectig high-value targets i productio Orgaizatios will fid that the ARM framework - used to drive test data maagemet efforts - ca also be very useful for drivig cyber security iitiatives focused o data security. Ofte, it is ot the lack of techology that slows dow cyber security efforts i the productio eviromet. Rather, it is the lack of clarity o where to start i order to miimize risk i a prioritized fashio. The ivetory ad risk assessmet process outlied above determies the high-value targets of the orgaizatio by idetifyig exactly where the sesitive data is stored ad how much of it is i each database. This iformatio ca be used to drive several cyber security iitiatives at the applicatio or database level. Table 1 highlights various scearios where the ARM framework ca be leveraged for cyber security iitiatives i the productio eviromet. Cyber Security Iitiative Applicatio Security Database Security Opportuities for Improvemet Prioritize applicatios with protected data i applicatio security reviews, applicatio firewall programs, ad etitlemet reviews Prioritize databases with protected data i database activity moitorig, privileged user maagemet, ad database ecryptio programs Server Security Prioritize servers hostig databases ad applicatios with protected data i privileged user maagemet programs Vulerability Maagemet Prioritize servers ad databases hostig protected data whe vulerabilities are foud by icreasig the priority or risk score for those systems. Prioritize patchig ad database hardeig efforts for databases ad servers hostig protected data Data Loss Prevetio Utilize master data for protected data to decrease false-positive idetificatio of data loss evets Goverace, Risk ad Compliace Feed iformatio o databases ad applicatios cotaiig protected iformatio ito GRC tools ad processes for eterprise risk assessmets Security Iformatio Evet Maagemet Prioritize applicatios ad databases to feed security evets to the Security Operatios Ceter. Use ivetory of applicatios ad databases with protected data to prioritize security alerts ad speed up icidet respose ad data breach otificatio processes. Table 1: Leveragig the ARM framework i the productio eviromet 10
Log Term Care Beefits of a persoa based approach The persoa based approach adopted by the ARM framework esures that developmet activities take place quickly ad securely i test eviromets, with miimal disruptio to busiess release cycles. Some of the key beefits of the ARM framework are: Improved regulatory compliace: Orgaizatios ca improve compliace through comprehesive de-idetificatio ad removal of sesitive data from test eviromets, as well as improved data audit ad goverace. Reduced risks: The ARM framework offers greater clarity o prioritizig risks. I additio, remediatig test eviromets ad securig live data sigificatly lowers busiess risks arisig from data breaches at a eterprise level. Maiteace of applicatio itegrity: De-idetificatio of data esures compliace while supportig productio-class testig, without hiderig applicatio fuctioality. Accelerated testig: The framework supports rapid testig that is aliged with key elemets of the SDLC. It also helps improve productivity through automatio of data maskig, especially whe provisioig ew test eviromets. Cosistet data maskig: With multiple applicatios ruig o differet databases, PHI ad PII must be masked i a cosistet maer across applicatios. The ARM framework recommeds a stadardized approach to de-idetificatio of data that is scalable ad flexible to meet future demads. A large U.S. payer reduces risk o a ogoig basis with miimal disruptio to operatios: A case study Busiess eed: Secure the test eviromet through a accelerated solutio with miimal disruptio to operatios ad plaed busiess releases. Solutio: Risk assessmet, audit, ad remediatio was completed withi 12 moths. A secure repository was used to drive automatio ad support eterprise wide assessmet ad remediatio for over 3000 applicatios. Busiess beefits: Elimiated 65% risk at half-time with zero to miimal disruptio to busiess ad IT release cycle. It Pays to Care Securig the Future The spate of healthcare security breaches has highlighted the fact that healthcare data holds immese value ot oly for healthcare orgaizatios but also for uscrupulous etities. These icidets uderscore the eed for a ew approach to data security, as it is o loger eough to rely o ecryptio, data leak prevetio, access maagemet, ad other iformatio security techologies. Orgaizatios must leverage a holistic combiatio of process chage, leadership, ad techology implemetatio to secure both productio ad test eviromets. A i-depth uderstadig of the applicatio ad data ladscape is ecessary to protect o-productio eviromets from data breaches ad lay the foudatio for securig the productio eviromet. Executive level sposorship, policies ad procedures, as well as employee traiig help cotrol ad safeguard the use of real data i o-productio eviromets. Robust healthcare data security goes beyod prevetig data breaches. It creates superior busiess value by eablig healthcare orgaizatios to adopt ew busiess models ad techologies rapidly, pavig the way for ehaced efficiecies ad competitive advatage. 11
About TCS' Healthcare Busiess Uit TCS parters with leadig health payers, providers ad PBMs globally to eable busiess model trasformatios to address healthcare reforms, improve quality of care, icrease customer egagemet ad reduce overheads. By streamliig ad moderizig busiess processes ad systems, TCS helps healthcare orgaizatios realize operatioal efficiecies ad reduce operatig costs. We work closely with healthcare players to empower them to meet their cosumers demads for higher levels of service, quality of care, ad ew ways of iteractig ad egagig. Our advaced data solutios, aalytics, ad cuttig edge digital techologies deliver a higher degree of customer cetricity. TCS portfolio of services covers the etire payer value chai from Pla Defiitio, Eligibility ad Erollmet, Policy Servicig, Billig, Claims Processig, Claims Adjudicatio, Beefit Maagemet, Provider Maagemet ad Member Services. For providers, we deliver bespoke services for Provider Maagemet, Claims Maagemet, Patiet Iformatio ad Fiacial Maagemet, Cliical Data Maagemet, Pharmacy Beefit Maagemet ad Reveue Cycle Maagemet. Cotact For more iformatio about TCS' Healthcare Busiess Uit, visit: http://www.tcs.com/healthcare Email: healthcare.solutios@tcs.com Subscribe to TCS White Papers TCS.com RSS: http://www.tcs.com/rss_feeds/pages/feed.aspx?f=w Feedburer: http://feeds2.feedburer.com/tcswhitepapers About Tata Cosultacy Services (TCS) Tata Cosultacy Services is a IT services, cosultig ad busiess solutios orgaizatio that delivers real results to global busiess, esurig a level of certaity o other firm ca match. TCS offers a cosultig-led, itegrated portfolio of IT ad IT-eabled ifrastructure, egieerig ad assurace services. This is delivered through its uique Global Network Delivery ModelTM, recogized as the bechmark of excellece i software developmet. A part of the Tata Group, Idia s largest idustrial coglomerate, TCS has a global footprit ad is listed o the Natioal Stock Exchage ad Bombay Stock Exchage i Idia. IT Services Busiess Solutios Cosultig All cotet / iformatio preset here is the exclusive property of Tata Cosultacy Services Limited (TCS). The cotet / iformatio cotaied here is correct at the time of publishig. No material from here may be copied, modified, reproduced, republished, uploaded, trasmitted, posted or distributed i ay form without prior writte permissio from TCS. Uauthorized use of the cotet / iformatio appearig here may violate copyright, trademark ad other applicable laws, ad could result i crimial or civil pealties. Copyright 2015 Tata Cosultacy Services Limited TCS Desig Services I M I 08 I 15 For more iformatio, visit us at www.tcs.com